AWS

In love w CloudSec

Configuration

  • Create a Root and IAM user

  • IAM user must have a custom password set along with Secret Key and an Access ID generated

  • Under IAM create a normal user assigned with AdministratorAccess and a misconfigured S3 bucket having public access over it's objects

  • Meanwhile access the aws-console via awscli

$ aws configure --profile demo-user
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
....

  • Now the keys will be stored under .aws/credentials - To confirm we can query

$ aws iam get-user --profile demo-user
{
    "User": {
        "Path": "/",
        "UserName": "demo-user",
        "UserId": "*******************",
        "Arn": "arn:aws:iam::***********:user/demo-user",
        "CreateDate": "2023-09-18T09:07:45+00:00",
        "PasswordLastUsed": "2023-09-18T09:08:21+00:00"
    }
}

  • We can now interact with the misconfigured S3 bucket

$ aws s3 ls --profile demo-user        // To list the buckets
2023-09-18 14:41:53 securebucketnxg

$ aws s3 ls s3://securebucketnxg --profile demo-user    // List the objs inside the public bucket
2023-09-18 14:42:37     242687 IoT.pdf

$ aws s3 sync s3://securebucketnxg output_dir --profile demo-user     // Download objs

So far we've tested or dumped the contents within the IAM user and buckets, what if an unknown user finds a bucket name ? How would he approach it ?

  • You guessed it, it's actually the same way and he would get the objects within the bucket if its publicly exposed

S3 Bucket - Best Practice

  • Navigate to Amazon S3 > Buckets > securebucketnxg > IoT.pdf > Edit access control list

After unchecking

  • Everyone

  • Anyone with AWS account

No unknown user can list the objects within the S3 bucket - Best Practice !

$ aws s3 ls s3://securebucketnxg --profile different_user
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
LogoZomato disclosed on HackerOne: Amazon S3 bucket misconfiguration...HackerOne

Launch an EC2 Instance

  • Search for EC2

  • Generate a Key-Pair - can be accessed via ssh or putty

  • Launch a simple instance with the default inbound rules (as of now)

$ chmod 400 cashserver.pem
$ ssh -i "cashserver.pem" ec2-user@ec2-13-x-38-x.eu-north-1.compute.amazonaws.com
PreviousNgnix DeploymentNextCloud Breach S3

Last updated